Cyber security is the practice of ensuring the integrity, confidentiality and availability

(ICA) of information. It represents the ability to defend against and recover from
accidents like hard drive failures or power outages, and from attacks by adversaries.
The latter includes everyone from script kiddies to hackers and criminal groups
capable of executing advanced persistent threats (APTs), and they pose serious
threats to the enterprise. Business continuity and disaster recovery planning are
every bit as critical to cyber security as application and network security.

[ Learn about top security certifications: Who they're for, what they cost, and which
you need. | Get the latest from CSO by signing up for our newsletters. ]

Security should be top of mind across the enterprise, and come with a mandate from
senior management. The fragility of the information world we now live in also
demands strong cyber security controls. Management should see that all systems
are built to certain security standards and that employees are properly trained. All
code, for example, has bugs, and some of those bugs are security flaws. Developers
are only human, after all.

Security training
The human is always the weakest element in any cyber security program. Training
developers to code securely, training operations staff to prioritize a strong security
posture, training end users to spot phishing emails and social engineering attacks —
cyber security begins with awareness.

[ Prepare to become a Certified Information Security Systems Professional with this

comprehensive online course from PluralSight. Now offering a 10-day free trial! ]
All companies will experience some kind of cyber attack, even if strong controls are
in place. An attacker will always exploit the weakest link, and many attacks are
easily preventable by performing basic security tasks, sometimes referred to as
“cyber hygiene.” A surgeon would never enter an operating room without washing
their hands first. Likewise, an enterprise has a duty to perform the basic elemen ts of
cyber security care such as maintaining strong authentication practices and not
storing sensitive data where it is openly accessible.

A good cyber security strategy needs to go beyond these basics, though.

Sophisticated hackers can circumvent most defenses, and the attack surface — the
number of ways or “vectors” an attacker can gain entry to a system — is expanding
for most companies. For example, the information and the physical world are
merging, and criminals and nation-state spies now threaten the ICA of cyber-physical
systems such as cars, power plants, medical devices, even your IoT fridge. Similarly,
the trends toward cloud computing, bring your own device (BYOD) policies in the
workplace, and the burgeoning internet of things (IoT) create new challenges.
Defending these systems has never been more important.
ADVERTISEMENT
Further complicating cyber security is the regulatory climate around consumer
privacy. Compliance with stringent regulatory frameworks like the European
Union's General Data Protection Regulation (GDPR) also demands new kinds of
roles to ensure that organizations meet the privacy and security mandates of the
GDPR and other regulations.

As a result, growing demand for cyber security professionals has hiring managers
struggling to fill positions with qualified candidates. That struggle requires
organizations to have a sharp focus on areas of greatest risk.

Types of cyber security

The scope of cyber security is broad. The core areas are described below, and any
good cyber security strategy should take them all into account.

Critical infrastructure

Critical infrastructure includes the cyber-physical systems that society relies on,
including the electricity grid, water purification, traffic lights and hospitals. Plugging a
power plant into the internet, for example, makes it vulnerable to cyber attacks. The
solution for organizations responsible for critical infrastructure is to perform due
diligence to protect understand the vulnerabilities and protect against them.
Everyone else should evaluate how an attack on critical infrastructure they depend
on might affect them and then develop a contingency plan.

Network security

Network security guards against unauthorized intrusion as well as malicious insiders.

Ensuring network security often requires trade-offs. For example, access controls
such as extra logins might be necessary, but slow down productivity.

Tools used to monitor network security generate a lot of data — so much that valid
alerts are often missed. To help better manage network security monitoring, security
teams are increasingly using machine learning to flag abnormal traffic and alert to
threats in real time.

Cloud security

The enterprise’s move into the cloud creates new security challenges. For example,
2017 has seen almost weekly data breaches from poorly configured cloud instanc es.
Cloud providers are creating new security tools to help enterprise users better
secure their data, but the bottom line remains: Moving to the cloud is not a
panacea for performing due diligence when it comes to cyber security.

Application security
Application security (AppSec), especially web application security, has become the
weakest technical point of attack, but few organizations adequately mitigate all the
OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices,
and should be augmented by fuzzing and penetration testing.

Rapid application development and deployment to the cloud has seen the advent of
DevOps as a new discipline. DevOps teams typically prioritize business needs over
security, a focus that will likely change given the proliferation of threats.

Internet of things (IoT) security

IoT refers to a wide variety of critical and non-critical cyber physical systems, like
appliances, sensors, printers and security cameras. IoT devices frequently ship in an
insecure state and offer little to no security patching, posing threats to not only their
users, but also to others on the internet, as these devices often find themselves part
of a botnet. This poses unique security challenges for both home users and socie ty.

Types of cyber threats

Common cyber threats fall under three general categories:

Attacks on confidentiality: Stealing, or rather copying, a target's personal

information is how many cyber attacks begin, including garden-variety criminal
attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation -state
spies make confidentiality attacks a major portion of their work, seeking to acquire
confidential information for political, military, or economic gain.

Attacks on integrity: Also known by its common name, sabotage, integrity attacks
seek to corrupt, damage, or destroy information or systems, and the people who rely
on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a
slash and burn campaign of sabotage against a target. Perpetrators can range from
script kiddies to nation-state attackers.

Attacks on availability: Preventing a target from accessing their data is most

frequently seen today in the form of ransomware and denial-of-service attacks.
Ransomware encrypts a target's data and demands a ransom to decrypt it. A denial-
of-service attack, typically in the form of a distributed denial-of-service (DDoS)
attack, floods a network resource with requests, making it unavailable.

The following describes the means by which these attacks are carried out.

Social engineering